Your telecommunications partner
Quality is our passion
Serving the community
The FBI, Hijacked DNS and you
A couple months ago we got a letter from the FBI. Official looking and all, it required us to log
into a secure site with a cryptic password they provided in the letter. Reading the information, it
described how they caught the folks that wrote a bot that infected peoples PCs and internally overwrote the
DNS settings. (My wife read this last night and she asked 'What's a bot?'. Most bots are software,
like virus/trojans, that get installed on you PC without your consent or knowledge. They nomally have a task
or two, like changing your DNS settings and looking for others to infect, then report back to a server
somewhere to wait for additional instructions.)
DNS stands for Domain Name System. Its function is to change the domain name into a number. All the internet runs on IP addresses/numbers, not names. Domain and host names are for us so it is easier to know how to get to www.mintel.net instead of typing in 22.214.171.124. You might be able to remember a few of them but after a while it would get very confusing. Your PC has a DNS client that asks the DNS server to give you the IP address for a name. If you are going to www.google.com your PC asks our DNS server what is the IP address. The DNS server replies with their IP address and your PC finds it's way to google. Sorta like the highway system. You drive from one place to another by following numbered highways. It would be difficult if every section of a highway had different names you have to follow.
What this bot did was hijack your DNS settings so your PC asked THEIR DNS server for the IP address instead of the one you are supposed to ask. Being in control like that, they could and did give fake replies redirecting you to the site they wanted you to go to. Apparently their goal was to generate revenue by making you go to commercial websites that paid them for everyone they redirected. They made millions from that. Most victims don't even know they are infected with the bot.
International law arrested these folks and took control of the DNS servers in Estonia. They replaced them with clean servers so they were answering correctly. They started documenting all the IPs requesting DNS information from them... only infected PCs would be asking those servers. The site we went to, per the letter, was a list of about 40 MINTEL IP address that had been logged going to the rogue DNS servers. The biggest problem we had was the list was from August 2011.... 6 months old. Pretty worthless information at this point. I believe we were supposed to try and contact the customers that had those IPs with the understanding that the FBI knew these PCs were infected. If the information was within a month or so it would have probably helped, but 6 months old?
Here's what is going to happen.... the government is going to shut down those DNS servers soon (July 9th). They FBI estimates 360,000 PCs in the US are infected. The 40 people from MINTEL with infected PCs will no longer be able to get the DNS answer from them and their Internet will quit working. We'll get a call or 2, or 40, complaining their Internet is not working. We'll go out with a PC and verifiy it. It will works for us. If you read this and your Internet quits on July 9th, you know why. The site dcwg.org (link below) has a real quick and easy test to tell if your PC is infected.
To detect and clean DNSbot: www.dcwg.org www.malwarebytes.org www.superantispyware.com
Wikipedia and DNS Hijacking
Half of Fortune 500s, US Govt. Still Infected with DNSChanger Trojan